Bug 376348

Summary: CVE 2017-5593: User Impersonation Vulnerability in Jabber protocol
Product: [Unmaintained] kopete Reporter: Pali Rohár <pali.rohar>
Component: Jabber PluginAssignee: Kopete Developers <kopete-bugs-null>
Status: RESOLVED FIXED    
Severity: critical    
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Other   
OS: All   
Latest Commit: https://commits.kde.org/kopete/6243764c4fd0985320d4a10b48051cc418d584ad Version Fixed/Implemented In: 16.12.3
Sentry Crash Report:

Description Pali Rohár 2017-02-11 12:21:58 UTC 
Kopete since 16.11.80 is vulnerable for CVE 2017-5593 (User Impersonation Vulnerability) as it uses same XMPP library as Psi (libiris).

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5593
http://seclists.org/oss-sec/2017/q1/373

Fix for libiris:
https://github.com/psi-im/iris/pull/47/commits/02e976d4426a1319a7af7d26d7aba9d8c6077570
Comment 1 Pali Rohár 2017-02-11 12:28:29 UTC 
Kopete versions since 1.10.80, part of KDE 16.11.80 are vulnerable.
Comment 2 Pali Rohár 2017-02-11 12:37:01 UTC 
Git commit 6243764c4fd0985320d4a10b48051cc418d584ad by Pali Rohár.
Committed on 11/02/2017 at 12:24.
Pushed by pali into branch 'Applications/16.12'.

Fix CVE 2017-5593 (User Impersonation Vulnerability) in jabber protocol
FIXED-IN: 16.12.3

A  +52   -0    protocols/jabber/libiris/patches/01_cve_2017-5593.patch
M  +9    -5    protocols/jabber/libiris/src/xmpp/xmpp-im/xmpp_tasks.cpp

https://commits.kde.org/kopete/6243764c4fd0985320d4a10b48051cc418d584ad